Automotive image sensor, image processing system including the same and operating method thereof

ABSTRACT

Provided is a method of operating an automotive image sensor, the method including performing a reset operation to set an initialization register corresponding to operation information of the automotive image sensor, receiving a device authentication request from an electronic control unit after performing the reset operation, performing an authentication operation with the electronic control unit based on the device authentication request, obtaining first image data while performing the authentication operation, transmitting the first image data to the electronic control unit while performing the authentication operation, obtaining second image data after the authentication operation is completed, generating a tag for the second image data, and transmitting the second image data and the tag to the electronic control unit.

CROSS TO REFERENCE TO RELATED APPLICATIONS

This application claims benefit of priority to Korean Patent ApplicationNos. 10-2021-0062649 filed on May 14, 2021 and 10-2021-0094683 filed onJul. 20, 2021 in the Korean Intellectual Property Office, thedisclosures of which are incorporated herein by reference in theirentireties.

BACKGROUND

Example embodiments of the present disclosure relate to an automotiveimage sensor, an image processing system including the same, and anoperating method thereof.

Generally, in the automotive-IT convergence field, advanced driverassistance systems (ADAS) refers to various systems which may allow adriver to take an appropriate action based on external environmentalinformation detected by a vehicle sensor and a camera, or mayautomatically control a vehicle such that a safe driving environment maybe established to reduce or prevent damages caused by vehicle accidents.An ADAS may be used to warn a driver by monitoring departure from a lanewhen the departure occurs, to help maintain an appropriate distance bysensing a distance between vehicles, to illuminate a road according to adriving direction at night, and to sense drowsiness of a driver and warnthe driver. As such, an ADAS may be an advanced driver assistance systemfundamental to ensuring driver safety and convenience to implementautonomous vehicles. Therefore, the importance of sensors for an ADAShas been increased.

SUMMARY

One or more example embodiments provide an automotive image sensor whichmay safely obtain images, an image processing system including the same,and an operating method thereof.

One or more example embodiments also provide an automotive image sensorwhich may be quickly booted, an image processing system including thesame, and an operating method thereof.

According to an aspect of an example embodiment, there is provided amethod of operating an automotive image sensor, the method includingperforming a reset operation to set an initialization registercorresponding to operation information of the automotive image sensor,receiving a device authentication request from an electronic controlunit after performing the reset operation, performing an authenticationoperation with the electronic control unit based on the deviceauthentication request, obtaining first image data while performing theauthentication operation, transmitting the first image data to theelectronic control unit while performing the authentication operation,obtaining second image data after the authentication operation iscompleted, generating a tag for the second image data, and transmittingthe second image data and the tag to the electronic control unit.

According to another aspect of an example embodiment, there is providedan automotive image sensor including a pixel array including a pluralityof pixels provided in a plurality of row lines and a plurality of columnlines, a row driver configured to select one of the plurality of rowlines, an analog-to-digital conversion circuit configured to convertanalog signals output by the pixel array into digital data by comparingthe analog signals with a ramp signal, a ramp signal generatorconfigured to generate the ramp signal, a buffer memory configured tostore the digital data, a digital processing device configured toprocess the digital data into image data, a timing controller configuredto control the pixel array, the row driver, the analog-to-digitalconversion circuit, the ramp signal, the buffer memory, and the digitalprocessing device, and a security circuit configured to perform deviceauthentication with an external electronic control unit and to generatea tag for all of the image data or a portion of the image data based onkey information corresponding to the device authentication, wherein thedigital processing device transmits the image data to an electroniccontrol unit while performing the device authentication.

According to another aspect of an example embodiment, there is providedan image processing system including an automotive image sensorconfigured to obtain an image, and an electronic control unit configuredto receive image data from the automotive image sensor and to processthe image data, wherein the electronic control unit includes at leastone processor configured to be implemented as a boot mode selectorconfigured to select one of a normal boot mode and a quick boot mode,and a security module configured to perform device authentication basedon the automotive image sensor and verify integrity of the image datareceived from the automotive image sensor, wherein, in the normal bootmode, an initial setting operation of the automotive image sensor isrequested after the device authentication is performed by the automotiveimage sensor, and wherein, in the quick boot mode, the initial settingoperation of the automotive image sensor is requested after the initialsetting operation of the automotive image sensor is performed.

According to another aspect of an example embodiment, there is provideda method of operating an electronic control unit, the method includingtransmitting an authentication request to an automotive image sensorthrough a communication channel after receiving operation informationfrom the automotive image sensor, receiving a public key of theautomotive image sensor from the automotive image sensor through acommunication channel, generating an encryption code based on the publickey, transmitting the encryption code to the automotive image sensorthrough the communication channel, receiving first stream data from theautomotive image sensor through a transmission channel before anauthentication operation is completed, and receiving second stream datafrom the automotive image sensor through the transmission channel afterthe authentication operation is completed.

BRIEF DESCRIPTION OF DRAWINGS

The above and/or other aspects, features, and advantages of exampleembodiments will be more clearly understood from the following detaileddescription, taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 is a diagram illustrating an image processing system according toan example embodiment;

FIG. 2 is a diagram illustrating an automotive image sensor according toan example embodiment;

FIG. 3 is a diagram illustrating a security circuit of an automotiveimage sensor according to an example embodiment;

FIG. 4 is a diagram illustrating a security module of an electroniccontrol unit according to an example embodiment;

FIG. 5A is a diagram illustrating a process of outputting image dataduring an authentication operation in an automotive image sensoraccording to an example embodiment;

FIG. 5B is a diagram illustrating a process of outputting image dataafter an authentication operation in an automotive image sensoraccording to an example embodiment;

FIG. 6 is a flowchart illustrating an operating method of an automotiveimage sensor according to an example embodiment;

FIG. 7 is a ladder diagram illustrating an operating method of anautomotive image sensor according to an example embodiment;

FIG. 8 is a timing diagram illustrating a booting operation of anautomotive image sensor according to an example embodiment;

FIGS. 9A and 9B are diagrams illustrating an image processing systemaccording to another example embodiment;

FIG. 10 is a flowchart illustrating an operating method of an automotiveimage sensor according to another example embodiment;

FIG. 11 is a timing diagram illustrating a normal booting operation ofan automotive image sensor according to an example embodiment;

FIGS. 12, 13, 14, and 15 are diagrams illustrating a camera systemaccording to an example embodiment; and

FIG. 16 is a perspective diagram illustrating an automotive cameradevice according to an example embodiment.

DETAILED DESCRIPTION

Hereinafter, example embodiments of the present disclosure will bedescribed as below with reference to the accompanying drawings.

FIG. 1 is a diagram illustrating an image processing system 10 accordingto an example embodiment. Referring to FIG. 1, the image processingsystem 10 may include an automotive image sensor 100 and an electroniccontrol unit 200 (ECU). The automotive image sensor 100 may beimplemented by a camera device performing an imaging operation using acamera lens. The image processing system 10 may be applied to varioustypes of systems. For example, the image processing system 10 may beapplied to an autonomous driving system.

The automotive image sensor 100 may be configured to obtain an imagefrom surroundings of a vehicle. The automotive image sensor 100 may alsobe configured to convert the obtained image into a secured imageguaranteeing reliability and to transmit the converted secured image tothe electronic control unit 200. In an example embodiment, the securedimage may include original data and a tag for verifying reliability ofthe original data. In another example embodiment, the secured image mayinclude an image encrypted based on an encryption algorithm.

The automotive image sensor 100 may also include a security circuit 101configured to perform a series of security operations necessary toconvert the obtained image into a secured image. The security circuit101 may be configured in software, hardware, or firmware.

The security circuit 101 may be configured to perform an authenticationoperation with the electronic control unit 200. The authenticationoperation may be performed based on various algorithms. In an exampleembodiment, the authentication procedure may be performed based on anasymmetric-key algorithm such as Rivest Shamir Adleman (RSA), ellipticcurve cryptography (ECC), and Diffie-Hellman. In another exampleembodiment, the authentication procedure may be performed based on asymmetric-key algorithm such as advanced encryption standard (AES) ordata encryption standard (DES).

In an example embodiment, the authentication operation may be initiatedafter an operation of setting the automotive image sensor 100. Inparticular, while the authentication operation is performed, the imageobtained from the automotive image sensor 100 may be transmitted to theelectronic control unit 200. In this case, the image transmittedsimultaneously with the authentication operation may not include a tagfor reliability verification.

The security circuit 101 may also be configured to perform a securityprocessing operation on the image to identify whether the imagetransmitted from the electronic control unit 200 is forged. For example,the security circuit 101 may generate a tag TAG for the obtained image,and may perform a security processing operation of transmitting theobtained image data DATA and the tag TAG attached thereto. In an exampleembodiment, the security circuit 101 may generate a tag, a messageauthentication code (MAC), for example, using an image and keyinformation (shared key information), and may transmit the generated MACto the electronic control unit 200 along with a corresponding image.

In an example embodiment, the security circuit 101 may select only apartial area from one of images, and may generate a MAC using data andkey information of the image of the selected area. In an exampleembodiment, the partial area of the image used to generate the MAC maybe arbitrarily selected by the automotive image sensor 100. In anotherexample embodiment, the partial area of the image used to generate theMAC may be provided from the electronic control unit 200 to theautomotive image sensor 100. The position of the area of the image usedto generate the MAC may change according to various methods. Forexample, an area of a fixed position may be used, or the position of anarea of an image for generating a MAC may change for each frame orperiodically.

The electronic control unit 200 (ECU) may be configured to receive animage (or image data) transmitted from the automotive image sensor 100and to perform a processing operation thereon. For example, theelectronic control unit 200 may be configured as a semiconductor chipconfigured separately from the automotive image sensor 100. In anexample embodiment, the semiconductor chip may be a system on chip (SoC)in which at least one processor and an image processing module areintegrated. For example, the electronic control unit 200 may beconfigured as an advanced driver assistance system (ADAS) SOC.

In an example embodiment, the electronic control unit 200 may obtain aMAC using the received image and key information, and may verifyintegrity of the image transmitted from the automotive image sensor 100by comparing the MAC transmitted from the automotive image sensor 100with a MAC calculated by the electronic control unit 200. In anotherexample embodiment, the electronic control unit 200 may select an areaof the same position from the received image, may obtain a MAC usingimage data and key information of the selected area, and may verifyintegrity of the image by comparing the MAC transmitted from theautomotive image sensor 100 with the MAC calculated by the electroniccontrol unit 200.

The electronic control unit 200 may also communicate with an externalelectronic control unit by various communication methods such ascontroller area network (CAN), media oriented system transport (MOST),local interconnected network (LIN), FlexRay, Ethernet, or the like.

In the image processing system 10 illustrated in FIG. 1, a singleelectronic control unit 200 and a single automotive image sensor 100 areillustrated, but embodiments are not limited thereto. The imageprocessing system 10 according to an example embodiment may beimplemented in other various forms. For example, the image processingsystem 10 may include two or more electronic control units 200 and thenumber of automotive image sensors 100 included in the image processingsystem 10 may be varied.

When the image processing system 10 is implemented as an autonomousdriving system, a plurality of camera devices may be employed in avehicle. The amount of image data transmitted by the camera sensor ofeach camera device may be 6 to 12 Gbps. However, the amount of datatransmitted from the camera sensor may not be limited thereto.

The electronic control unit 200 may, by analyzing a large amount ofimages received from each camera sensor, interpret a current trafficsituation and obstacles based the analysis, and may execute devicecontrol for a subsequent operation in real time. The electronic controlunit 200 may also perform a security processing operation to checkwhether the image is transmitted from a legitimate camera device andwhether the image is not forged while the image is transmitted.

The electronic control unit 200 may include a security module 201(hardware security module; HSM) configured to perform the deviceauthentication operation and the image integrity verification operationof the automotive image sensor 100 described above. The security module101 may be implemented in software, hardware, or firmware.

A hardware security module (HSM) may refer to a cryptographic processorspecially designed for protecting a lifecycle of an encryption key. TheHSM may perform cryptographic processing, key protection, and keymanagement within an enhanced anti-counterfeiting device. An HSM used ina vehicle controller domain may include a secure memory for safelystoring a key. For example, the secure memory may include an HSMdedicated random access memory (RAM) or a read only memory (ROM) withhigh security, separate from the host system. The HSM may perform aseries of operations through a dedicated central processing unit (CPU)to perform functions relatively safely from attacks by potentialattackers.

In the image processing system, the automotive image sensor 100 and theelectronic control unit 200 may perform a device authenticationprocedure before an actual image is transmitted. Such a deviceauthentication procedure may be performed when the automotive imagesensor 100 is initially driven or booted. A general image processingsystem may require a significant amount of time to transmit a securedimage after the device authentication procedure is performed.Accordingly, a customer who uses the image processing system mayexperience visual discomfort.

The image processing system 10 in an example embodiment may perform thedevice authentication procedure in the initialization operation of theautomotive image sensor 100 and may transmit the obtained image to theelectronic control unit 200 simultaneously, such that the userconvenience may improve.

FIG. 2 is a diagram illustrating an automotive image sensor 100according to an example embodiment. Referring to FIG. 2, the automotiveimage sensor 100 may include a security circuit 101, a pixel array 110,a row driver 120, an analog-to-digital conversion circuit 130, a lampvoltage generator 160, and a timing controller 170, a buffer 180, and adigital processing device 190 (image signal processor(s) (ISP(s))).

The security circuit 101 may be configured to perform a deviceauthentication procedure with the external electronic control unit 200or to generate a tag corresponding to an obtained image.

The pixel array 110 may include a plurality of pixels arranged in amatrix form, each of which is connected to a plurality of row lines anda plurality of column lines CL. Each of the plurality of pixels mayinclude a photosensing device. For example, the photosensing device mayinclude a photodiode, a phototransistor, a port gate, or a pinnedphotodiode. Each of the plurality of pixels may include at least onephotosensing device. In an example embodiment, each of the plurality ofpixels may include a plurality of photosensing devices. The plurality ofphotosensing devices may be stacked on each other.

Each of the plurality of pixels may sense light using the photosensingdevice, and may convert light into a pixel signal which may be anelectrical signal. Each of the plurality of pixels may sense light in aspecific spectral region. For example, the plurality of pixels mayinclude a red pixel for converting light in a red spectral region intoan electrical signal, a green pixel for converting light in a greenspectral region into an electrical signal, and a blue pixel forconverting light in a blue spectral region into an electrical signal. Acolor filter for transmitting light of a specific spectral region may bedisposed on each of the plurality of pixels.

Each of the plurality of pixels may be configured to operate both asignal dump operation and a readout operation using a single sourcefollower transistor.

The row driver 120 may be configured to drive the pixel array 110 in arow unit. The row driver 120 may decode a row control signal (e.g., anaddress signal) generated by the timing controller 170, and may selectat least one of the row lines included in the pixel array 110 inresponse to the decoded row control signal. For example, the row driver120 may generate a row selection signal. The pixel array 110 may alsooutput a pixel signal from a row selected by the row selection signalprovided by the row driver 120. The pixel signal may include a resetsignal and an image signal.

The analog-to-digital conversion (ADC) circuit 130 may be configured toconvert an analog pixel signal input from the pixel array 110 intodigital data in response to the ADC activation signal ADC_EN. Theanalog-to-digital conversion circuit 130 may include a comparisoncircuit 140 (CDB) and a counter circuit 150 (DBS).

The comparison circuit 140 may be configured to compare a pixel signaloutput by a unit pixel connected to one of the column lines CL includedin the pixel array 110 with the ramp voltage RAMP. The comparisoncircuit 140 may include a plurality of comparators 141 provided tocorrespond to each column. Each comparator 141 may be connected to thepixel array 110 and the ramp voltage generator 160.

The comparator 141 (CMP) may be configured to compare the pixel signalwith the received ramp voltage RAMP generated by the ramp voltagegenerator 160, and to output a comparison result signal to an outputterminal. The comparator 141 may also generate a comparison resultsignal to which a correlated double sampling (CDS) technique is applied.Pixel signals output by the plurality of pixels may have a deviationbetween unique properties (e.g., fixed pattern noise (FPN)) of thepixels, or a deviation caused by a difference between properties oflogics for outputting a pixel signal from the pixel PX. The correlateddouble sampling technique is directed to calculating or obtaining areset component (or a reset signal) and an image component (or an imagesignal) for each of the pixel signals to compensate for the deviationbetween the pixel signals, and extracting the difference as a validsignal component. The comparator 141 may output a comparison resultsignal to which the correlated double sampling technique is applied.

The comparator 141 may also be configured as a two-stage amplifier. Forexample, the comparator 141 may include a first amplifier for comparingthe pixel signal with the ramp voltage, and a second amplifier foramplifying an output of the first amplifier and outputting the amplifiedoutput. In an example embodiment, the first amplifier may operate basedon a smaller amount of bias current in an auto-zero stage than in thecomparison operation stage. Accordingly, an input range may increase asnoise is reduced. In an example embodiment, the second amplifier mayadaptively control current sources generating a bias current for eachoperation, and may generate a minimum bias current before and after adecision. Accordingly, power supply fluctuations caused by the operationof the second amplifier may be prevented. In an example embodiment, thefirst amplifier may include a limiting circuit connecting an outputterminal to a common node. The limiting circuit may prevent a voltagelevel of the common node from being lowered below a minimum value atwhich the first amplifier may normally operate, and may compensate forvoltage fluctuation occurring in the output node.

The comparison circuit 140 may also be configured to output a decisionsignal (e.g., an output signal of the comparator) at different timesaccording to column line groups.

The counter circuit 150 may include a plurality of counters. Each of theplurality of counters 151 (CNT) may be connected to an output terminalof the comparators 141 and may be configured to count based on theoutput of each comparator 141. A counter control signal CTCS may includea counter activation signal, a counter clock signal, a counter resetsignal for controlling a reset operation of the plurality of counters151, and an inverting signal for inverting internal bits of each of theplurality of counters. The counter circuit 150 may count a comparisonresult signal according to the counter clock signal and may output thesignal as digital data.

The counter 151 (CNT) may include an up/down counter or a bit-wisecounter. In this case, the bit-wise counter may perform an operationsimilar to that of the up/down counter. For example, the bit-wisecounter may perform a function of only up-counting, and may perform afunction of inverting entire bits in the counter into 1's complementswhen a specific signal comes in. The bit-wise counter may perform areset count and may invert the count into 1's complements, that is, anegative value.

The ramp voltage generator 160 may be configured to generate a rampvoltage (or ADC reference voltage). The ramp voltage generator 160 mayoperate based on the ramp control signal CTRP provided by a timingcontroller 170. The ramp control signal CTRP may include a ramp enablesignal, a mode signal, and the like. When the ramp enable signal isactivated, the ramp voltage generator 160 may generate a ramp voltageRAMP having a slope determined based on the mode signal.

The timing controller 170 may be configured to control operations ortimings of the row driver 120, the analog-to-digital conversion circuit130, and the ramp voltage generator 160 by outputting a control signalor a clock signal to each of the row driver 120, the analog-to-digitalconversion circuit 130, and the ramp voltage generator 160. The timingcontroller 170 may also generate switching control signals provided tothe comparison circuit 140 to differentiate the decision speedsdepending on a column line group.

The buffer 180 may be configured to temporarily store, amplify andoutput digital data output by the analog-to-digital conversion circuit130. The buffer 180 may include a column memory block 181 (MEM) and asense amplifier circuit 182 (SA).

The column memory block 181 (MEM) may include a plurality of memories.Each of the plurality of memories may temporarily store digital dataoutput by each of the plurality of counters 151 and may output thedigital data to the sense amplifier circuit 182.

The sense amplification circuit 182 (SA) may be configured to sense andamplify digital data output by the plurality of memories. The senseamplifier circuit 182 may output the amplified digital data to thedigital processing device 190 as image data.

The digital processing device 190 may be configured to perform at leastone image processing operation on the obtained image (or the imagestored in the memory) and may output the processed image data DATA to anexternal entity. For example, the at least one image processingoperation may include generating a depth map, 3D modeling, generating apanorama, extracting feature points, synthesizing an image, orcompensating an image (e.g., reducing noise, adjusting resolution,adjusting brightness, blurring, sharpening, softening). The digitalprocessing device 190 may also perform exposure time control, or readouttiming control. The image processed by the digital processing device 190may be stored back in the memory or may be provided as an externalcomponent.

Also, the digital processing device 190 may transmit the entire obtainedimage or a portion of the obtained image to the security circuit 101 togenerate a tag.

FIG. 3 is a diagram illustrating a security circuit 101 of an automotiveimage sensor 100 according to an example embodiment. Referring to FIG.3, the security circuit 101 may include an authenticator 101-1, a taggenerator 101-2, an image area selector 101-3, and a key buffer 101-4.

The authenticator 101-1 may be configured to perform a mutualauthentication operation for device authentication with the electroniccontrol unit 200. In an example embodiment, the authenticator 101-1 mayperform a challenge-response-based authentication procedure. Theauthenticator 101-1 may perform a device authentication procedure usinga symmetric-key algorithm or an asymmetric-key algorithm.

The tag generator 101-2 may be configured to generate a tag forperforming a security processing operation to verify integrity of theimage. For example, the tag generator 101-2 may generate a tag throughoperation on key information and image data. The key information may bekey information obtained through consultation with the electroniccontrol unit 200 or having the same information as in the electroniccontrol unit 200. In an example embodiment, the key information mayinclude a session key transmitted and received during a session betweenthe automotive image sensor 100 and the electronic control unit 200.

The image area selector 101-3 may be configured to select an area of animage on which security processing is performed based on areainformation. For example, such area information may be arbitrarilygenerated in the automotive image sensor 100. In an example embodiment,data of an area of an image corresponding to the area information may beprovided to the tag generator 101-2. In another example embodiment, thearea information may be provided from the electronic control unit 200 tothe automotive image sensor 100. In an example embodiment, the positionof the area of the image selected by the area information may changeover time.

The key buffer 101-4 may be configured to store a key value required foran authentication operation. For example, when authentication isperformed based on asymmetric-key encryption, the key buffer 101-4 mayread out a private key stored in a one time programming (OTP) memory inthe security circuit 101, and store the private key, or may store anencryption code (e.g., a key value encrypted using a public key)received from the electronic control unit 200.

FIG. 4 is a diagram illustrating a security module 201 of an electroniccontrol unit 200 according to an example embodiment. Referring to FIG.4, the security module 201 may include a device authenticator 201-1, atag generator 201-2, an image area selector 201-3, and an imageintegrity verifier 201-4.

The device authenticator 201-1 may be configured to perform a deviceauthentication procedure with the automotive image sensor 100.

The tag generator 201-2 may generate a tag using data of a selected areafrom the transmitted image and key information such as a session key.

The image area selector 201-3 may select an image area from the imagedata DATA transmitted from the automotive image sensor 100, on whichsecurity processing may be performed. When the area information isgenerated in the electronic control unit 200, the image area selector201-3 may select an image area using pre-owned area information. Whenthe area information is transmitted from the automotive image sensor100, the image area selector 201-3 may select an image area using thearea information transmitted from the automotive image sensor 100.

The image integrity verifier 201-4 may be configured to verify integrityof the transmitted image data IDATA by comparing a tag output by the taggenerator 201-2 with a tag transmitted from the automotive image sensor100.

FIG. 5A is a diagram illustrating a process of outputting image dataIDATA during an authentication operation in an automotive image sensor100 according to an example embodiment. FIG. 5B is a diagramillustrating a process of outputting image data IDATA after anauthentication operation in an automotive image sensor 100 according toan example embodiment.

Referring to FIG. 5A, the security circuit 101 of the automotive imagesensor 100 and the security module 201 of the electronic control unit200 may perform an authentication operation. While the authenticationoperation is performed, in the on-air state, the automotive image sensor100 may output the obtained image data IDATA to the electronic controlunit 200 for a predetermined period of time. The predetermined time maybe selectively set in the electronic control unit 200.

Referring to FIG. 5B, after the authentication operation between thesecurity circuit 101 and the security module 201 is completed, theautomotive image sensor 100 may generate a tag TAG corresponding to theobtained image data IDATA using the key information shared in theauthentication operation and may output the obtained image data IDATAand the tag TAG to the electronic control unit 200.

FIG. 6 is a flowchart illustrating an operating method of an automotiveimage sensor 100 according to an example embodiment. Referring to FIGS.1 to 6, the automotive image sensor 100 may operate as below. To use theautomotive image sensor 100, a CIS reset operation may be performed.Information related to the automotive image sensor 100 may be basicallyset as a register according to the CIS reset operation. After the resetoperation is completed, the reset operation may be released and ended(S110). Operation S110 may be indicated as a CIS booting time for thestream-on state of the automotive image sensor 100

In this case, the automotive image sensor 100 may perform an operationfor obtaining an image. The automotive image sensor 100 may be in astream-on state for transmitting the obtained image data IDATA, whichmay be stream data, to the ECU (see FIG. 1, the electronic control unit200) using a transmission channel (S120). The transmission channel maytransmit data according to a mobile industry processor interface (MIPI)standard. However, the transport channel in an example embodiment is notlimited thereto. For example, the transmission channel may transmit databy MIPI Automotive SerDes Solution (MASS).

In the stream-on state, that is, while image data IDATA is output, theautomotive image sensor 100 may determine whether a security functionrequest has been received from the ECU for device authentication (S130).When there is no security function request from the ECU, the automotiveimage sensor 100 may transmit the obtained image data IDATA to the ECUthat is a host. When there is a security function request from the ECU,the automotive image sensor 100 may obtain the RSA encryption code fromthe ECU using a communication channel (S140). The communication channelmay transmit and receive data according to an inter-integrated circuit(I2C) interface or a serial peripheral interface (SPI). However, thecommunication channel in an example embodiment is not limited thereto.Thereafter, the automotive image sensor 100 may RSA-decrypt theencryption code with the key value (S150). The decrypted key value maybe provided for integrity calculation (S160).

Thereafter, it may be determined whether the security function of theautomotive image sensor 100 is activated (S170). When the securityfunction is not activated, the automotive image sensor 100 may transmitthe obtained image data IDATA to the ECU as is. When the securityfunction is activated, a message authentication code (MAC) for the imagedata IDATA obtained using the key value for integrity calculation may begenerated (S180). Thereafter, the automotive image sensor 100 maytransmit the obtained image data IDATA and the tag TAG corresponding tothe MAC to the ECU that is the host (S190).

FIG. 7 is a ladder diagram illustrating an operating method of anautomotive image sensor 100 according to an example embodiment.Referring to FIG. 7, the image processing system 10 may operate asbelow.

The ECU (e.g., the electronic control unit 200 in FIG. 1) may supplypower to the AIS (e.g., the image sensor 100 for a vehicle in FIG. 1)(S10). The AIS may perform a CIS reset operation (S11). The ECU maytransmit an authentication request for performing a deviceauthentication procedure to the AIS (S12). The ECU and the AIS mayperform a predetermined authentication operation in response to theauthentication request (S13). While the authentication operation isperformed, the AIS may obtain an image of the surroundings of thevehicle and may output the obtained image data IDATA to the ECU (S15).

After the authentication operation is completed, the AIS may obtain animage (S16). The AIS may generate a tag (e.g., a MAC value) for theobtained image data using the key information (S17). The key informationmay correspond to a shared key value according to an authenticationoperation. Thereafter, the AIS may output the image data IDATA and thetag TAG to the ECU (S18). The ECU may verify integrity of the image dataIDATA using the transmitted image data IDATA and the tag TAG, and mayoutput the verified image data to the other devices (e.g, the other ECU,a display device) using a vehicle communication network.

FIG. 8 is a timing diagram illustrating a booting operation of anautomotive image sensor 100 according to an example embodiment.Referring to FIG. 8, the booting operation may be performed when the CISreset signal is at a high level.

Through the I2C channel, the ECU may write information related to theinitialization operation in the CIS. Accordingly, the CIS settingoperation may be performed. Thereafter, the ECU may read out the publickey (PubK CERT_camera) from the CIS for device authentication throughthe I2C channel. Thereafter, the ECU may write the RSA encryption codein the CIS through the I2C channel.

The CIS may be in a hardware standby state or in an idle state IDLEbefore a CIS setting operation is performed. In the CIS settingoperation period, the CIS may perform register setting for performing animage sensing operation. CIS information according to the registersetting may be transmitted to an ECU. When the register setting iscompleted, the CIS may sense an image. The CIS may instantly output theobtained first image stream to the ECU. As illustrated in FIG. 8, adevice authentication operation may be performed while the first imagestream is transmitted. The CIS may perform a one time programming OTPread operation to obtain a private key PrivK. Thereafter, the CIS maytransmit the private key PrivK to the key buffer. The ECU may write anencryption code in the key buffer of the CIS. The encryption code mayinclude a key value encrypted to a public key PubK CERT_camera of theCIS. The CIS may decrypt the encryption code using the private keyPrivK. Accordingly, the CIS may share a key value with the ECU throughan authentication operation. Thereafter, the CIS may generate a tag (orMAC value) for the obtained image using the shared key value. Asillustrated in FIG. 8, a device authentication operation (ECU: Dev. Authof the ECU may be performed while image streaming is performed in theCIS after the CIS register is set. Accordingly, the CIS booting time maybe shortened.

The image processing system according to an example embodiment may beconfigured to selectively operate the above-described booting method andthe existing booting method.

FIGS. 9A and 9B are diagrams illustrating an image processing system 20according to another example embodiment. Referring to FIG. 9A, the imageprocessing system 20 may include an automotive image sensor 100 a and anelectronic control unit 200 a.

The automotive image sensor 100 a may further include a boot modeselector 102 in addition to the example illustrated in FIG. 1. The bootmode selector 102 may select a normal boot mode 102-1 or a quick bootmode 102-2 according to a user's selection as illustrated in FIG. 9B.The normal boot mode 102-1 may indicate a mode for outputting securedimage data to the electronic control unit 200 a after deviceauthentication according to the existing image sensor booting procedure.The quick boot mode 102-2 may also be configured to instantly transmitthe image data IDATA to the electronic control unit 200 a while thedevice authentication operation is performed as described with referenceto FIGS. 1 to 8.

The electronic control unit 200 a may include a security module 201 a(HSM) configured to perform different device authentication operationsby communicating with the security circuit 101 of the automotive imagesensor 100 a according to the selected boot mode. The security module201 a may also perform an integrity verification operation on thereceived image data IDATA according to a timing corresponding to theselected boot mode.

FIG. 10 is a flowchart illustrating an operating method of an automotiveimage sensor 100 a according to another example embodiment. Referring toFIGS. 9A, 9B, and 10, the automotive image sensor 100 a may operate asbelow. A CIS reset operation may be performed to use the automotiveimage sensor 100 a. Information related to the automotive image sensor100 a may be basically set as a register according to the CIS resetoperation. In this case, a normal boot mode may be set as a boot mode.After the reset operation is completed, the reset operation may bereleased and ended (S210).

The automotive image sensor 100 a may determine whether a securityfunction request has been received from the ECU for deviceauthentication (S220). When there is no security function request fromthe ECU, the automotive image sensor 100 a may stream on operation S260to transmit the obtained image data IDATA to the ECU that is the host.When there is a security function request from the ECU, the automotiveimage sensor 100 a may obtain an RSA encryption code from the ECU usinga communication channel (S230). Thereafter, the automotive image sensor100 a may RSA-decrypt the encryption code with the key value (S240). Thedecrypted key value may be provided for integrity calculation (S250). Inthis case, the automotive image sensor 100 a may maintain a stream-onstate in which image stream data may be transmitted to the ECU 200 athrough the transmission channel (S260). A duration from operation S220to operation S250, before the stream-on state, may be the CIS bootingtime.

Thereafter, it may be determined whether the security function of theautomotive image sensor 100 a is activated (S270). When the securityfunction is not activated, the automotive image sensor 100 a may enteroperation S290 to transmit the obtained image data IDATA to the ECU asis. When the security function is activated, a message authenticationcode MAC for the obtained image data IDATA may be generated using thekey value for integrity calculation (S280). Thereafter, the automotiveimage sensor 100 a may transmit the obtained image data IDATA and thetag TAG corresponding to the MAC to the ECU that is the host (S290).

FIG. 11 is a timing diagram illustrating a normal booting operation ofan automotive image sensor CIS according to an example embodiment.Referring to FIG. 11, a booting operation may be performed when the CISreset signal is at a high level.

The ECU may read out the public key PubK CERT_camera from the CIS fordevice authentication through the I2C channel. Thereafter, the ECU maywrite the RSA encryption code in the CIS through the I2C channel.Thereafter, the ECU may write information related to the initializationoperation in the CIS through the I2C channel. Accordingly, the CISsetting operation may be performed.

The CIS may be in a hardware standby state or in an idle state IDLEbefore a CIS setting operation is performed. The CIS may perform a onetime programming OTP read operation to obtain a private key PrivK.Thereafter, the CIS may transmit the private key PrivK to the RSAbuffer.

Thereafter, the ECU may write the encryption code in the RSA buffer ofthe CIS. The CIS may decrypt the encryption code using the private keyPrivK. Accordingly, the CIS may share a key value with the ECU throughthe authentication operation. Thereafter, the CIS may generate a tag orMAC value for the obtained image using the shared key value.

Thereafter, after the CIS completes the register setting internallywithin the CIS setting section, the CIS may transmit the obtained imageto the ECU together with the tag.

As illustrated in FIG. 11, after the device authentication operationECU: Dev. Auth of the ECU is completed, the CIS setting may beperformed, and thereafter, the CIS may safely output image data IDATAand a tag TAG for integrity verification.

FIGS. 12 to 15 are diagrams illustrating a camera system 30 according toan example embodiment. Referring to FIG. 12, the camera system 30 mayinclude a camera device 400 and an advanced driver assistance system(ADAS) SOC 500 configured to receive an image. In FIG. 12, an image froman external entity may be provided to the camera device 400, but thecamera device 400 may directly generate an image through an image sensortherein. The camera device 400 may include an image processor 410configured to process an image and a packet format encoder 420configured to create a transmission format to transmit an image to theADAS SOC 500. The image processor 410 may be configured to perform theoperation of the digital processing device 190 illustrated in FIG. 2.The camera device 400 may also further include a security circuit 430for performing device authentication and image authentication inrelation to a security function. The security circuit 430 may beconfigured to perform the function of the security circuit 101 describedwith reference to FIGS. 1 to 11.

The security circuit 430 may further include a security controller 431configured to receive a command from and transmit a command to the ADASSOC 500, a key sharer 432 configured perform a cryptographic operationto generate and exchange a session key between the ADAS SOC 500 and thecamera device 400, a tag generator 433 configured to prevent forgery andfalsification of the transmitted image and to generate a tag for imageauthentication, and a secure storage 434 configured to store apre-shared key or a certificate for device authentication, and an ID.

The ADAS SOC 500 may also include a security/crypto module as acomponent for processing an image transmitted from the camera device400, and the security/crypto module may perform the function of thesecurity processing module described in the aforementioned embodiment.The ADAS SOC 500 may also include a packet processing unit configured todecode the received packet, a key storage unit configured to storevarious key information related to device authentication and imageauthentication, and an image processing module configured to processimage data. The ADAS SOC 500 may be configured to perform an operationof the electronic control unit 200 described in FIGS. 1 to 11.

Functions performed by the components in the example embodimentillustrated in FIG. 12 and the example embodiments below will be furtherdescribed as below. The image processor 410 may be configured to processan image collected by an image sensor or an image provided from anexternal entity, and may be configured to transmit data of a specificarea of the image to the security controller 431 according to theinformation (e.g., area information) received from the securitycontroller 431 along with the image processing function in an existingcamera device. The packet format encoder 420 may be configured topacketize an image to be transmitted, and may add a code (e.g., MAC)generated for image authentication to a header or a footer of a packet.

The security controller 431 may correspond to a module which maygenerally manage the security function of the camera device. In anexample embodiment, the security controller 431 may send and receivespecific information (random challenges, encrypted messages, digitalsignatures, etc.) through communication with the ADAS SOC 500, maytransfer area information indicating a specific position of image datato the image processor 410 and may receive data of the correspondingarea, may transfer received data of an image to the tag generator 433,may transmit a session key secured from the key sharer 432 to the taggenerator 433 or may transfer a specific value stored in the securestorage unit 434 to the ADAS SOC 500 or may set the value in the keysharer 432.

The key sharer 432 may be configured to decrypt specific areainformation for an image to which a session key and a MAC transferred bythe ADAS SOC 500 are applied. In an example embodiment, a public keyencryption system such as RSA or ECC may be applied, or a private keyencryption system such as AES may be applied. Also, the ADAS SOC 500 maygenerate a key and may transmit the key to the camera device 400, or theADAS SOC 500 and the camera device 400 may share a session key using akey exchange protocol such as DH and EC-DH. The decrypted session keyand area information may be transmitted to the security controller 431or the tag generator 433.

The tag generator 433 may perform a MAC operation on the image datareceived from the security controller 431 using a session key receivedfrom the key sharer 432. As a result of the operation, the MAC value maybe transmitted to the packet format encoder 420 and may be transmittedto the ADAS SOC 500.

The secure storage unit 434 may be configured as a storage circuit forsafely storing a private/public key pair of the camera device 400 and acertificate, or a pre-shared key shared in advance between the cameradevice 400 and the ADAS SOC 500. As the ID of the camera device 400, avalue which may be public but not forged may be stored in the securestorage unit 434.

The ADAS SOC 500 may include a main processor responsible for autonomousdriving in automotive products. In the example embodiment, since anautomotive product is described as an example, the entity may be definedas an ADAS SOC, but the ADAS SOC 500 may be configured as an entity forprocessing, analyzing, and storing an image transmitted by the cameradevice 400.

Various components of the camera device 400 illustrated in FIG. 12 maybe configured in various manners. In an example embodiment, a processorconfigured to execute programs in the camera device 400 may be furtherprovided, and the processor may execute programs stored in an operationmemory in the camera device 400 in FIG. 12 such that functions ofvarious components illustrated in FIG. 12 may be performed. In anotherexample embodiment, various components in the camera device 400 mayinclude circuits performing corresponding functions, such that thefunctions thereof may be performed in hardware, or various componentsprovided in the camera device 400 may be configured by a combination ofhardware and software.

In the description below, more specific operations of the camera system30 illustrated in FIG. 12 will be described. FIG. 13 is a diagramillustrating the example in which the camera device 400 and the ADAS SOC500 may perform device authentication using a pre-shared key. In anexample embodiment, the camera device 400 and the ADAS SOC 500 mayperform a challenge-response-based authentication procedure. Theauthentication procedure may be performed by the ADAS SOC 500 confirmingthat the camera device 400 is a legitimate device, which may beavailable by confirming ownership of an existing shared key (e.g., apre-shared key). This method may be performed in the order as below.

Each of the camera device 400 and the ADAS SOC 500 may possess apre-shared key. The pre-shared key may be configured as a key of a blockcipher such as advanced encryption standard (AES), and the ADAS SOC 500and the camera device 400 may share the same key, and may need to besafely stored in the secure storage 434 of the camera device 400.

In an example embodiment, the ADAS SOC 500 may determine whether thecamera device 400 possesses a pre-shared key based on achallenge-response scheme to confirm that the camera device 400 is alegitimate device. To this end, the ADAS SOC 500 may generate a randomchallenge having a random value (e.g., a random number of apredetermined number of bits) and may transmit the value to the cameradevice 400.

The camera device 400 receiving the random challenge may encrypt therandom challenge using the pre-shared key stored in the secure storage434, and may transmit the encrypted random challenge Random Challenge_ENback to the ADAS SOC 500. In this case, in addition to the randomchallenge Random Challenge_EN, public information such as a productnumber (ID) of the camera device 400, which may distinguish the cameradevice 400, may be further transmitted to the ADAS SOC 500.

The ADAS SOC 500 may store the product number (ID) information of thecamera device 400 in advance, and may decrypt the encrypted textreceived from the camera device 400 using a pre-shared key, maydetermine whether the decrypted plaintext is the same as the randomchallenge transmitted by the ADAS SOC 500, and may also determinewhether the product number (ID) received from the camera device 400 isthe same as the pre-stored information. According to the determinationresult, the camera device 400 having the pre-shared key may beauthenticated as a legitimate device.

As for the pre-shared key, the same key may be used for each cameradevice 400, or a different key may be used for each device. When adifferent key is used for each device, the ADAS SOC 500 may include adatabase in which a product ID and keys of the camera device 400 arearranged.

FIG. 14 is a diagram illustrating the example in which a camera deviceand an ADAS SOC may perform device authentication by a public keycryptosystem. As for the authentication method using a public keycryptosystem, it may not be necessary to share a key in advance, andonly one product may revoke even when a private key is exposed. In anexample embodiment, a certificate authority (CA) may be required toapply the public key encryption system. The authentication method basedon the public key encryption system may be performed in the order asbelow.

The certification authority (CA) may transmit the public key (e.g., thecertification authority public key Public Key_CA) to the ADAS SOC 500,and may issue a certificate for the private key of the camera device400. In an example embodiment, to confirm that the camera device 400 isa legitimate device, the ADAS SOC 500 may determine whether the cameradevice 400 processes a private key based on a challenge-response scheme.To this end, the ADAS SOC 500 may generate a challenge-response and maytransmit the challenge-response to the camera device 400.

The camera device 400 receiving the challenge-response may digitallysign the challenge-response using a private key stored in the securestorage unit 434, and may transmit the digitally signedchallenge-response to the ADAS SOC 500. In this case, the camera device400 may also transmit a certificate thereof to the ADAS SOC 500.

The ADAS SOC 500 may verify the certificate transmitted by the cameradevice 400 with the certification authority public key Public Key_CA ofthe camera device 400 to secure the public key of the camera device 400,may verify the digital signature transmitted by the camera device 400using the key, and may determine whether the camera device 400 is alegitimate device according to the verification result

FIG. 15 is a diagram illustrating the example in which the camera deviceand the ADAS SOC perform device authentication through transmission of asession key and a subsequent processing. Device authentication accordingto the session key method may be performed through a method partiallysimilar to the authentication method using the above-described publickey cryptosystem. When the ADAS SOC 500 generates a session key,encrypts the session key into a public key of the camera device 400 andtransmits the key, the camera device 400 may decrypt the informationprovided from the ADAS SOC 500 to a private key thereof and may secure asession key, and may perform communication using the session key.Accordingly, since only the legitimate camera device 400 holding theprivate key may normally perform the subsequent operation, whether thedevice is a legitimate device may be confirmed by whether the subsequentcommunication is normally performed without a separate authenticationprocess.

Similarly to the above-described public key encryption method, the ADASSOC 500 may secure and verify the certificate of the camera device 400,thereby securing the public key of the camera device 400. The ADAS SOC500 may also generate a session key, may encrypt the key into a publickey of the camera device 400, and may transmit the key to the cameradevice 400. The camera device 400 may secure a session key by decryptingthe encrypted text transmitted as a private key thereof. Thereafter, acorresponding session key may be used to authenticate an image, and theADAS SOC 500 may authenticate that the camera device 400 is a legitimatedevice when image authentication is normally performed.

As in the example embodiments, after device authentication is normallyperformed, image authentication using at least a portion of an image anda session key may be performed. When device authentication fails, theADAS SOC 500 may perform a process such as stopping communication withthe camera device for which device authentication has failed, ordiscarding an image transmitted from the camera device.

FIG. 16 is a perspective diagram illustrating an automotive cameradevice 1000 according to an example embodiment. Referring to FIG. 16,the vehicle camera device 1000 may include a first shell 1001, a lens1100, a first screw 1200, a second shell 1300, a sealing ring 1400, animage sensor board 1500, a cooper pillar 1600, a serializer board 1700,a ring 1800, and a second screw 1900. The image sensor board 1500 may beconfigured to include the automotive image sensor described withreference to FIGS. 1 to 15.

At least one of the components, elements, modules or units (collectively“components” in this paragraph) represented by a block in the drawingsmay be embodied as various numbers of hardware, software and/or firmwarestructures that execute respective functions described above, accordingto an exemplary embodiment. For example, at least one of thesecomponents may use a direct circuit structure, such as a memory, aprocessor, a logic circuit, a look-up table, etc. that may execute therespective functions through controls of one or more microprocessors orother control apparatuses. Also, at least one of these components may bespecifically embodied by a module, a program, or a part of code, whichcontains one or more executable instructions for performing specifiedlogic functions, and executed by one or more microprocessors or othercontrol apparatuses. Further, at least one of these components mayinclude or may be implemented by a processor such as a centralprocessing unit (CPU) that performs the respective functions, amicroprocessor, or the like. Two or more of these components may becombined into one single component which performs all operations orfunctions of the combined two or more components. Also, at least part offunctions of at least one of these components may be performed byanother of these components. Further, although a bus is not illustratedin the above block diagrams, communication between the components may beperformed through the bus. Functional aspects of the above exemplaryembodiments may be implemented in algorithms that execute on one or moreprocessors. Furthermore, the components represented by a block orprocessing steps may employ any number of related art techniques forelectronics configuration, signal processing and/or control, dataprocessing and the like.

The image processing system according to example embodiments may receivea cybersecurity key from a host after a reset operation in theautomotive CIS and may perform a security operation, and the bootingtime may be reduced by eliminating the key receiving time.

According to the aforementioned example embodiments, an automotive imagesensor, an image processing system including the same, and an operatingmethod thereof may, by instantly outputting image data obtained whileperforming device authentication, reduce the booting time and performfast booting.

The automotive image sensor, an image processing system including thesame, and an operating method thereof in an example embodiment may alsoimprove user convenience by instantly outputting image data through thefast booting.

While example embodiments have been illustrated and described above, itwill be apparent to those skilled in the art that modifications andvariations could be made without departing from the scope of the presentdisclosure as defined by the appended claims and their equivalents.

1. A method of operating an automotive image sensor, the methodcomprising: performing a reset operation to set an initializationregister corresponding to operation information of the automotive imagesensor; receiving a device authentication request from an electroniccontrol unit after performing the reset operation; performing anauthentication operation with the electronic control unit based on thedevice authentication request; obtaining first image data whileperforming the authentication operation; transmitting the first imagedata to the electronic control unit while performing the authenticationoperation; obtaining second image data after the authenticationoperation is completed; generating a tag for the second image data; andtransmitting the second image data and the tag to the electronic controlunit.
 2. The method of claim 1, further comprising: ending the resetoperation after setting the initialization register is completed.
 3. Themethod of claim 2, wherein the transmitting the first image datacomprises transmitting the first image data to the electronic controlunit after releasing the reset operation.
 4. The method of claim 2,wherein the performing the authentication operation comprises performingthe authentication operation based on a challenge-response scheme. 5.The method of claim 1, wherein the performing the authenticationoperation comprises performing the authentication operation based on anasymmetric-key encryption algorithm.
 6. The method of claim 1, whereinthe performing the authentication operation comprises: receiving asecure function request from the electronic control unit; receiving aRivest Shamir Adleman (RSA) encryption code from the electronic controlunit based on a communication channel; and decrypting the RSA encryptioncode based on a private key to obtain a key value.
 7. The method ofclaim 6, wherein the generating the tag comprises generating the tagcorresponding to the second image data based on the key value.
 8. Themethod of claim 7, wherein the tag comprises a message authentication(MAC) value for all of the second image data or a portion of the secondimage data.
 9. The method of claim 6, wherein the performing theauthentication operation comprises reading the private key from aone-time programming (OTP) memory.
 10. The method of claim 1, whereinthe authentication operation is performed by an inter-integrated circuit(I2C) interface or a serial peripheral interface (SPI) between theautomotive image sensor and the electronic control unit, and wherein theoperation of transmitting the first image data and the second image datais performed by a mobile industry processor interface (MIPI) automotiveSerDes solution (MASS).
 11. An automotive image sensor comprising: apixel array comprising a plurality of pixels provided in a plurality ofrow lines and a plurality of column lines; a row driver configured toselect one of the plurality of row lines; an analog-to-digitalconversion circuit configured to convert analog signals output by thepixel array into digital data by comparing the analog signals with aramp signal; a ramp signal generator configured to generate the rampsignal; a buffer memory configured to store the digital data; a digitalprocessing device configured to process the digital data into imagedata; a timing controller configured to control the pixel array, the rowdriver, the analog-to-digital conversion circuit, the ramp signal, thebuffer memory, and the digital processing device; and a security circuitconfigured to perform device authentication with an external electroniccontrol unit and to generate a tag for all of the image data or aportion of the image data based on key information corresponding to thedevice authentication, wherein the digital processing device transmitsthe image data to the electronic control unit while performing thedevice authentication.
 12. The automotive image sensor of claim 11,wherein the digital processing device is further configured to transmitthe image data and the tag to the electronic control unit afterperforming the device authentication.
 13. The automotive image sensor ofclaim 11, wherein the security circuit is further configured to performthe device authentication based on a Rivest Shamir Adleman (RSA)encryption algorithm.
 14. The automotive image sensor of claim 11,wherein the security circuit comprises: an authenticator configured toperform device authentication based on the electronic control unit andan asymmetric-key encryption algorithm; a tag generator configured togenerate the tag corresponding to the image data based on a key valueshared based on the device authentication; and an image area selectorconfigured to select a portion of the image data required to generatethe tag.
 15. The automotive image sensor of claim 14, wherein theasymmetric-key encryption algorithm is configured as a Rivest ShamirAdleman (RSA) encryption algorithm, and wherein the security circuit isfurther configured to: transmit a public key to the electronic controlunit based on a device authentication request of the electronic controlunit; receive an RSA encryption code from the electronic control unit;and obtain the key value by decrypting the RSA encryption code based ona private key.
 16. An image processing system comprising: an automotiveimage sensor configured to obtain an image; and an electronic controlunit configured to receive image data from the automotive image sensorand to process the image data, wherein the electronic control unitcomprises: a boot mode selector configured to select one of a normalboot mode and a quick boot mode; and a security module configured toperform device authentication based on the automotive image sensor andverify integrity of the image data received from the automotive imagesensor, wherein, in the normal boot mode, an initial setting operationof the automotive image sensor is requested after the deviceauthentication is performed by the automotive image sensor, and wherein,in the quick boot mode, the initial setting operation of the automotiveimage sensor is requested after the initial setting operation of theautomotive image sensor is performed.
 17. The automotive image sensor ofclaim 16, wherein the electronic control unit is further configured to:read a public key of the automotive image sensor through a communicationchannel; transmit a Rivest Shamir Adleman (RSA) encryption codecorresponding to the public key to the automotive image sensor throughthe communication channel; and request the initial setting operation tothe automotive image sensor, in the normal boot mode.
 18. The automotiveimage sensor of claim 17, wherein the communication channel isimplemented as an inter-integrated circuit (I2C) interface or a serialperipheral interface (SPI).
 19. The automotive image sensor of claim 16,wherein the electronic control unit is further configured to: requestthe initial setting operation of the automotive image sensor through acommunication channel; read a public key of the automotive image sensorthrough the communication channel; and transmit a Rivest Shamir Adleman(RSA) encryption code corresponding to the public key to the automotiveimage sensor through the communication channel, in the quick boot mode.20. The automotive image sensor of claim 16, wherein the electroniccontrol unit is further configured to receive the image data from theautomotive image sensor based on a mobile industry processor interface(MIPI) automotive SerDes solution (MASS) standard. 21-25. (canceled)